United States of America: Closed consultation on FTC Settlement with Drizly for Cybersecurity Failures

On 1 December 2022, the US Federal Trade Commission (FTC) closed the consultation on its proposed order against the alcohol delivery service provider Drizly after coming to a settlement agreement regarding the FTC's investigation of Drizly's failure to follow cybersecurity requirements leading to a data breach. Specifically, the FTC alleged that Drizly did not take basic security measures, stored customer data on an unsecured database, did not properly monitor security threats, and exposed the data of its customers to hackers. The provisions of the order would require Drizly to clarify the purposes of the data it has collected and delete all other information within 60 days. Further, Drizly would be required to make public a retention schedule describing the purpose of retaining information, which it must update before collecting any data on new customers. In addition, the company would be required to establish and implement an Information Security Program and submit to regular compliance evaluation. In addition, any future incidents would have to be reported to the FTC. The FTC will open a public consultation on the proposed order and settlement before finalising them.